cancel
Showing results for 
Search instead for 
Did you mean: 

Cookie Does Not Contain The "secure" Attribute on ltm vip

Girishb401
Nimbostratus
Nimbostratus

Our security team reported that multiple vulnerabilities has been detected on one of VIP: 1.2.3.4 (on BIG-IP LTM v12.1.2 version.)

 

Please refer the list as below 

1.Cookie Does Not Contain The "secure" Attribute

2.Path-Based Vulnerability

3. Session Cookie Does Not Contain the "Secure" Attribute

4.Slow HTTP POST vulnerability

 

 

I also Referred this below article but "I don't find any kind of persistence profile enabled and also no custom http profile exist on this mentioned VIP ".

 

K30524234: The HTTPOnly and Secure attributes are enabled by default in the Cookie persistence profile

 

If cookies persistence not enabled on VIP, then is it something need to look at backend server (poolmember). please confirm me

 

Kindly help me to fix this issue

 

Great thanks,

Girish

3 REPLIES 3

Lidev
MVP
MVP

Hi,

If you don't use cookie persistence profile, you need to configure the BIG-IP ASM to use secure and HttpOnly cookie flag.

Check in your ASM Policy configuration, Security ›› Application Security : Headers : Cookies List ›› Edit Cookie

0691T00000C2dOOQAZ.png

Girishb401
Nimbostratus
Nimbostratus

OK..I am not sure about that we allowed to c provision a BIG-IP ASM (new) on F5 LB.

 

And I also checked with F5 TAC engineer and he suggested as below

 

"The security scan will test the traffic all the way through the virtual server, to the pool member. Since the BIG-IP virtual server is not generating the cookie, it must be the pool member server that is generating it. Therefore, the Qualys scan would be indicating that the vulnerable component is the server, NOT the BIG-IP virtual server."

 

So Finally he is pointing something to check on backend server.

 

so I am a bit confusion what decision need to take on this

 

Lidev
MVP
MVP

Indeed, if you don't use the ASM module, you have to check this on the backend server, look at the configured Set-Cookie header (Secure; HttpOnly).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

 

Regards